I understand this might not be directly related to Cisco but I'm having a hard time finding info and trying to get it work.
Pretty much I'm trying to move away from using the inbuilt CA on the ASA for authenticating users with certs. I've managed to get the firewall to use SCEP and OCSP so it can autoenroll users when they first login and OCSP to check if their cert has been revoked. My main problem now is that a new cert is enrolled every time the user logs into a new device, so each user has a new cert on every device the login with. I want to restrict this so a single cert is only issued out to a single device for each user (so if they login with a new device autoenroll won't work and they can't get a cert) and when that cert is revoked (e.g. user got a new laptop) they can login with Anyconncet and they will autoenroll with a new cert.
I'm finding it hard trying to find anything on the MS CA that can do this, so what I'm asking is if the ASA can play any part of doing this, or is there a function on the MS CA that I'm missing that can do this.
Create another tunnel-group/connection that doesn't use SCEP enrollment. So for the first connection the user connects to a cert enroll connection profile/tunnel-group, receives a certificate and a new XML profile. From then on they connect to the 2nd connection profile/tunnel-group and uses the certificate to authenticate.
Thank you for the reply. I think I understand what you mean, but will that help with my problem? As users could just get onto another device, choose the tunnel group that enrolls them with the cert and get the cert that way. Then they just login with the other tunnel group with the cert that has been distributed to other devices the user has logged in with.
@BVC when connected to the certenroll connection profile, apply an interface ACL or VPN Filter or DACL to restrict access only to the CA to allow them to enroll for a certificate. They must connect to the other connection profile that gives them full access, obviously this will require some user instructions/training.
Ideally if possible you'd pre-deploy the certificates, if you have AD you can use a GPO to do this when they are connected to the network. You'd not need a cert enroll connection profile then.
We’re excited to announce new capabilities with Secure Endpoint that allow you to simplify your security and maximize your security operations: Unify your security stack and reduce agent fatigue with Cisco Secure Client; harness integrated risk-based vuln...
Listen: https://smarturl.it/CCRS8E47 Follow us: twitter.com/ciscochampions
Ransomware, fileless malware, and zero-day attacks continue to target organizations around the world. In response, organizations have resorted to deploying a variety of d...
This is a general information page for Cisco Threat Centric (TC-NAC) with ISE
Threat Centric Network Access Control (TC-NAC) feature enables you to create authorization policies based on the threat and vulnerability attributes received from the th...
The 2021 IT Blog Awards, hosted by Cisco, is now open for submissions. Submit your blog, vlog or podcast today. For more information, including category details, the process, past winners and FAQs, check out: https://www.cisco.com/c/en/us/t...
Cisco Secure Endpoint (formerly AMP for Endpoints) will decommission legacy cloud servers, which results in Legacy Windows Connector Versions 3.x/4.x and Mac Connector Version 1.0.x ceasing to ...